Tips and tricks in Java, eGovernment, Electronic Signature and Alfresco

security

Usually default keytool from Sun’s JDK is used to perform local testing on applications involving crytographic operations. Portecle is a nice alternative to achieve a Windows-like behaviour of this tool. It can be launched writing a simple CMD script and executing it from desktop.

Both are mature solutions and both cover obligatory part of the standard. However, the implementation of optional parts of the standard produces conflicts in client-server communications between this toolkits.

Recently, we had to work with systems communicating through secure web services based on XWSS and WSS4j and we had to solve two problems:

WSS4J doesn’t support InclusiveNamespaces in canonicalization methods of XMLDSig (WSS estandar covers this functionality as optional).

WSS4J doesn’t support signed timestamp (WSS estandar covers this functionality as optional).

For the first issue, we configured XWSS in order to avoid the unsupported use of the prefix in XML canonicalization.

Someone decided for the second issue to use non-signed timestamp. In my opinion, this option is unwise because of timestamp manipulation risk. But one can’t always win…

Some applications does not work with certificates to perform security operations. Instead of this, raw private keys are used for signature or ciphering. Hence, private keys must be stored as PCKS#8 rather than PCKS#12.

The following code shows how to generate and use a DSA private key of 1024 bits. Note that this key is stored using Base64 encoding in order to achieve appropiate results. And also Base64 code it’s not provided, any available code would work.